pulumi-community #general

Channels

general

flat-insurance-25294

12/20/2019, 11:00 AM

I got some issues with a few things Pulumi does before we can actually start migrating over, I am hoping I could get some eyes on this and maybe even suggestions. I am not comfortable with secrets stored in the repo. Encrypted or not. We do store the secrets on Github, but not in the repo, but as Github Action secrets. In fact, we also store configs there ( but not as secret). In the future we would like to store our configs as an .env file and read that into the CI. Is there a way Pulumi could work without config and secrets being defined in the stack.yml file?

gifted-engine-92308

12/20/2019, 11:01 AM

So I have tried with child_process:

gifted-engine-92308

12/20/2019, 11:01 AM

let out = exec("pulumi up -y", (err, stdout) => {
      if (err) {
        console.log(err);
        console.log(stdout);

        throw new Error("Failed to call up on pulumi " + err);
      }

      observer.complete();
    })

gifted-engine-92308

12/20/2019, 11:01 AM

and execa

gifted-engine-92308

12/20/2019, 11:01 AM

const subp = execa.sync("pulumi", ['up', '-y'], {
        cwd: options.targetDirectory
      });
      subp.stdout.pipe(process.stdout);
      const { stdout } = await subp;

gifted-engine-92308

12/20/2019, 11:02 AM

either way it just hangs half way through or errors in some way that it doesn't when running it in terminal

flat-insurance-25294

12/20/2019, 11:05 AM

Is there a typo there?

execa?

flat-insurance-25294

12/20/2019, 11:06 AM

What kind of error?

gifted-engine-92308

12/20/2019, 11:07 AM

execa is a node package

gifted-engine-92308

12/20/2019, 11:07 AM

the child_process error is this:

Error: Failed to call up on pulumi Error: Command failed: pulumi up -y

    at exec (/Users/waynedouglas/src/sonaticket-pulumi/commands/up.js:25:15)
    at ChildProcess.exithandler (child_process.js:301:5)
    at ChildProcess.emit (events.js:198:13)
    at ChildProcess.EventEmitter.emit (domain.js:448:20)
    at maybeClose (internal/child_process.js:982:16)
    at Socket.stream.socket.on (internal/child_process.js:389:11)
    at Socket.emit (events.js:198:13)
    at Socket.EventEmitter.emit (domain.js:448:20)
    at Pipe._handle.close (net.js:607:12)

gifted-engine-92308

12/20/2019, 11:07 AM

so nothing of any use!

gifted-engine-92308

12/20/2019, 11:07 AM

i'm currently running pulumi up and it's already gone beyond where it was

flat-insurance-25294

12/20/2019, 11:13 AM

Not having those issues here with Ruby, I will try out with Node later but I can’t right now. Anyhow, that’s how we do it. We use Ruby to prepare a lot of stuff, like creating new stacks, feeding secrets and configs and etc.

flat-insurance-25294

12/20/2019, 11:14 AM

Which brings me to my question I got some issues with a few things Pulumi does before we can actually start migrating over, I am hoping I could get some eyes on this and maybe even suggestions. I am not comfortable with secrets stored in the repo. Encrypted or not. We do store the secrets on Github, but not in the repo, but as Github Action secrets. In fact, we also store configs there as clear text. In the future we would like to store our configs as an .env file and read that into the CI. Is there a way Pulumi could work without config and secrets being defined in the stack.yml file?

flat-insurance-25294

12/20/2019, 11:16 AM

@gifted-engine-92308 try this

const { spawn } = require('child_process');
const ls = spawn('pulumi', ['up', '-y']);

ls.stdout.on('data', (data) => {
  console.log(`stdout: ${data}`);
});

ls.stderr.on('data', (data) => {
  console.error(`stderr: ${data}`);
});

ls.on('close', (code) => {
  console.log(`child process exited with code ${code}`);
});

gifted-engine-92308

12/20/2019, 11:17 AM

ah ok

flat-insurance-25294

12/20/2019, 11:17 AM

Let me know how it works, I’m curious. We wanna switch Ruby to typescript eventually

gifted-engine-92308

12/20/2019, 11:19 AM

i'll be trying it within the next 5 mins 🙂

gifted-engine-92308

12/20/2019, 11:28 AM

ok - so now I have an error that i can see 🙂

gifted-engine-92308

12/20/2019, 11:28 AM

so that method is definitely better

flat-insurance-25294

12/20/2019, 11:38 AM

What was the error?

gifted-engine-92308

12/20/2019, 11:41 AM

it's something related to cert-manager that's not happening when i run it in terminal so looking into that now

flat-insurance-25294

12/20/2019, 3:03 PM

@gifted-engine-92308 Can you check if it’s possible to await an output? Since we check configs for conditionals.

cool-egg-852

12/20/2019, 4:25 PM

Why does pulumi not realize the instance is gone and stop trying to delete the user?

gcp:sql:User (sellercenter-vtex-gateway-vault):
    error: deleting urn:pulumi:development::sellercenter-vtex-gateway::gcp:sql/user:User::sellercenter-vtex-gateway-vault: Error, failed to deleteuser vault in instance sellercenter-vtex-c7eeaca: googleapi: Error 400: Invalid request: Invalid request since instance is not running., invalid

  gcp:sql:User (sellercenter-vtex-gateway):
    error: deleting urn:pulumi:development::sellercenter-vtex-gateway::gcp:sql/user:User::sellercenter-vtex-gateway: Error, failed to deleteuser sellercenter-vtex-gateway-7acd01a in instance sellercenter-vtex-c7eeaca: googleapi: Error 400: Invalid request: Invalid request since instance is not running., invalid

better-rainbow-14549

12/20/2019, 4:47 PM

you might be able to do a pulumi refresh to make it notice

better-rainbow-14549

12/20/2019, 4:47 PM

instead of it failing to delete

great-tomato-45422

12/20/2019, 7:26 PM

is there a way to do pulumi preview without it building containers?

👋 1

prehistoric-account-60014

12/20/2019, 10:22 PM

Can somebody help with debugging a

status code from the CLI? I’m attempting to run:

pulumi config --verbose=3 --stack $PULUMI_STACK --config-file Pulumi.development.yaml --show-secrets --json)

but all I’m seeing is:

error: could not decrypt configuration value: [400] Message authentication failed

I was hoping

--verbose=3

would help a bit but there isn’t any extra information compared to the non-verbose run.

prehistoric-account-60014

12/20/2019, 11:49 PM

Is there a resource similar to

azure.containerservice.Registry

or data source similar to

gcp.container.getRegistryRepository

for

@pulumi/gitlab

flat-insurance-25294

12/21/2019, 2:05 PM

How strongly is tagging enforced in Pulumi? I’m concerned over the amount of resources created and no way to track them in the AWS console. We don’t issue deletion/destroying via Pulumi but manually via the AWS console and want to keep it that way.

Title

flat-insurance-25294

12/21/2019, 2:05 PM

white-balloon-205

12/21/2019, 3:07 PM

Pulumi itself is not opinionated about tagging - but you can provide tags yourself - and there are several features to help you enforce this yourself: 1. Components that you create which include tags which can be reused 2. Stack transformations to auto-inject tags into supported resource types 3. Policy as code to enforce that resources cannot be created without tags

flat-insurance-25294

12/21/2019, 3:07 PM

Hmm so if I set tags on a stack, it will seed it to all the resources created? Including Subnets in a VPC?

@white-balloon-205 The policy thing is nice, but I saw a tutorial that extended the TS runtime to enforce it at compile time might combine both but actually seeding tags via stack sounds like a even better solution, if anything it’s a big catch all in case policy and ts compile time fails 🙂

Now I gotta figure out IAM stuff. I am a bit confused over those portions. I want to dynamically create my stacks per pr and setup resources on AWS. I don’t want to allow destroying any resource, just mutate or create. But I guess pulimi sometimes need destroyable roles/auth because create might need it, am I correct?

View count: 1